In an environment where even the largest and most powerful corporations have fallen victim to data breaches, it can be challenging to fathom how to protect against the sophisticated and ever-evolving threat of cyber attacks. The US Securities and Exchange Commission (SEC) and other regulatory law enforcers are making clear that companies, broker-dealers, financial advisers, and others must make cybersecurity—both before and after an incident—a priority. The failure to take proactive measures, such as establishing and implementing written cybersecurity policies and procedures, can result in actionable conduct, even in instances without a cyber attack. When a firm experiences a data breach, not only are there significant business consequences, but the breach also increases the risk that regulators will evaluate the firm’s cybersecurity policies and initiate an enforcement review.
The SEC signaled its heightened degree of scrutiny on cybersecurity preparedness by issuing its second Office of Compliance Inspections and Examinations (OCIE) Risk Alert. OCIE noted that the 2015 initiative will focus more on evaluating a firm’s implementation of its cybersecurity policies or procedures. This Risk Alert, combined with the SEC’s past cybersecurity guidance, emphasizes the SEC’s position on firms being proactive instead of reactive. Given that OCIE is intending to actually test and evaluate each examined firm’s implementation of its cybersecurity systems, the findings for this round of examinations are more likely to result in significant compliance deficiencies and, potentially, enforcement actions. In light of the SEC’s recent actions and public statements, it is clear that cybersecurity is a concern that all firms, irrespective of size, must proactively address by developing controls and procedures reasonably designed to detect and prevent cyber attacks.
Please see full White Paper below for more information.